Lazarus Group (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

Lazarus Group (Back to overview)

aka: Operation DarkSeoul, Dark Seoul, Hidden Cobra, Hastati Group, Andariel, Unit 121, Bureau 121, NewRomanic Cyber Army Team, Bluenoroff, Subgroup: Bluenoroff, Group 77, Labyrinth Chollima, Operation Troy, Operation GhostSecret, Operation AppleJeus, APT38, APT 38, Stardust Chollima, Whois Hacking Team, Zinc, Appleworm, Nickel Academy, APT-C-26, NICKEL GLADSTONE, COVELLITE, ATK3, G0032, ATK117, G0082

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.

Associated Families

win.unidentified_101 win.unidentified_090 aix.fastcash apk.badcall apk.hardrain elf.badcall js.quickcafe osx.3cx_backdoor osx.casso osx.dacls osx.manuscrypt osx.rustbucket osx.watchcat osx.yort php.redhat_hacker ps1.powerbrace ps1.powerspritz win.3cx_backdoor win.alphanc win.artfulpie win.bitsran win.blindtoad win.bookcodesrat win.bootwreck win.brambul win.bravonc win.buffetline win.cheesetray win.cleantoad win.crat win.cur1_downloader win.dacls win.deltas win.duuzer win.electricfish win.ghost_rat win.ghost_secret win.gopuram win.hardrain win.hermes win.hoplight win.hotcroissant win.httpsuploader win.iconic_stealer win.joanap win.keymarble win.klackring win.lazardoor win.lazarloader win.op_blockbuster win.power_ratankba win.pslogger win.romeos win.rustbucket win.slickshoes win.touchmove win.unidentified_042 win.veiledsignal win.winordll64 win.anchormtea win.racket win.comebacker win.lcpdot win.webbytea win.cloudburst win.ratankba win.interception win.nestegg win.ratankbapos win.wormhole osx.interception win.bluenoroff osx.poolrat osx.unidentified_001 win.unidentified_077 win.sierras win.contopee win.dyepack win.badcall win.alreay win.darkcomet win.phandoor win.rifdoor win.dtrack win.magic_rat win.vsingle win.bankshot win.banpolmex win.hotwax win.lazarus_killdisk win.nachocheese win.redshawl win.volgmer win.wannacryptor win.coredn win.dratzarus win.lpeclient win.fudmodule win.jessiecontea win.neddnloader win.fuwuqidrama osx.applejeus win.applejeus win.snatchcrypto win.vyveva win.blindingcan win.torisma win.bistromath

References

2023-08-31 ⋅ AhnLab ⋅ Sanseo
Analysis of Andariel’s New Attack Activities
Andardoor BlackRemote Tiger RAT Volgmer

2023-08-22 ⋅ AhnLab ⋅ ASEC Analysis Team
Analyzing the new attack activity of the Andariel group
Andardoor MimiKatz QuiteRAT Tiger RAT Volgmer

2023-07-05 ⋅ SentinelOne ⋅ Phil Stokes
BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection
RustBucket

2023-06-29 ⋅ Elastic ⋅ Colson Wilhoit, Salim Bitam, Seth Goodwin, Andrew Pease, Ricardo Ungureanu
The DPRK strikes using a new variant of RUSTBUCKET
RustBucket

2023-06-08 ⋅ AhnLab ⋅ ASEC Analysis Team
Lazarus Group exploiting vulnerabilities in domestic financial security solutions
LazarDoor LazarLoader

2023-05-25 ⋅ YouTube (BSidesCharm) ⋅ Asheer Malhotra
it’s all Magic(RAT) – A look into recent North Korean nation-state attacks
MagicRAT VSingle YamaBot

2023-05-22 ⋅ Sekoia ⋅ Jamila B., Kilian Seznec, Charles M.
Bluenoroff’s RustBucket campaign
RustBucket WebbyTea

2023-05-01 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
Attack trends related to the attack campaign DangerousPassword
RustBucket CageyChameleon Cur1Downloader SnatchCrypto

2023-04-24 ⋅ Cofense ⋅ Austin Jones
Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release
Ghost RAT

2023-04-21 ⋅ Symantec ⋅ Threat Hunter Team
X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe
VEILEDSIGNAL

2023-04-21 ⋅ Jamf Blog ⋅ Ferdous Saljooki, Jaron Bradley
BlueNoroff APT group targets macOS with ‘RustBucket’ Malware
RustBucket

2023-04-20 ⋅ ESET Research ⋅ Peter Kálnai, Marc-Etienne M.Léveillé
Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack
BADCALL 3CX Backdoor BADCALL IconicStealer

2023-04-20 ⋅ 3CX ⋅ Agathocles Prodromou
Security Update Thursday 20 April 2023 – Initial Intrusion Vector Found
POOLRAT

2023-04-20 ⋅ Mandiant ⋅ JEFF JOHNSON, Fred Plan, ADRIAN SANCHEZ, RENATO FONTANA, Jake Nicastro, Dimiter Andonov, Marius Fodoreanu, DANIEL SCOTT
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
POOLRAT IconicStealer

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-04-13 ⋅ Intel 471 ⋅ Souhail Hammou, Jorge Rodriguez
From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT
BBSRAT Gh0stTimes Ghost RAT PseudoManuscrypt

2023-04-12 ⋅ Kaspersky Labs ⋅ Seongsu Park
Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer

2023-04-03 ⋅ Kaspersky Labs ⋅ Georgy Kucherin
Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack
Gopuram

2023-04-03 ⋅ Youtube (MalwareAnalysisForHedgehogs) ⋅ Karsten Hahn
Malware Analysis - 3CX SmoothOperator ffmpeg.dll with Binary Ninja
3CX Backdoor

2023-04-03 ⋅ Twitter (@kucher1n) ⋅ Georgy Kucherin
Tweet on an alternative Guporam sample
Gopuram

2023-04-01 ⋅ Github (dodo-sec) ⋅ dodo-sec
SmoothOperator
3CX Backdoor

2023-04-01 ⋅ Objective-See ⋅ Patrick Wardle
Ironing out (the macOS) details of a Smooth Operator (Part II)
3CX Backdoor

2023-03-31 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Initial Implants and Network Analysis Suggest the 3CX Supply Chain Operation Goes Back to Fall 2022
3CX Backdoor

2023-03-31 ⋅ Reversing Labs ⋅ Karlo Zanki
Red flags flew over software supply chain-compromised 3CX update
3CX Backdoor

2023-03-31 ⋅ Zscaler ⋅ Rohit Hegde, Niraj Shivtarkar, Meghraj Nandanwar
3CX Supply Chain Attack Campaign Campaign Analysis
3CX Backdoor

2023-03-31 ⋅ vmware ⋅ Threat Analysis Unit
Investigating 3CX Desktop Application Attacks: What You Need to Know
3CX Backdoor

2023-03-31 ⋅ cyble ⋅ Cyble
A Comprehensive Analysis of the 3CX Attack
3CX Backdoor

2023-03-31 ⋅ Group-IB ⋅ Group-IB
36gate: supply chain attack
3CX Backdoor

2023-03-31 ⋅ splunk ⋅ Splunk Threat Research Team
Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise
3CX Backdoor

2023-03-30 ⋅ Huntress Labs ⋅ John Hammond
3CX VoIP Software Compromise & Supply Chain Threats
3CX Backdoor

2023-03-30 ⋅ Volexity ⋅ Ankur Saini, Callum Roxan, Charlie Gardner, Paul Rascagnères, Steven Adair, Thomas Lancaster
3CX Supply Chain Compromise Leads to ICONIC Incident
3CX Backdoor IconicStealer

2023-03-30 ⋅ Rapid7 Labs ⋅ Rapid7
Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign
3CX Backdoor

2023-03-30 ⋅ Symantec ⋅ Threat Hunter Team
3CX: Supply Chain Attack Affects Thousands of Users Worldwide
3CX Backdoor IconicStealer

2023-03-30 ⋅ Fortiguard ⋅ FortiGuard Labs
3CX Desktop App Compromised (CVE-2023-29059)
3CX Backdoor

2023-03-30 ⋅ Trend Micro ⋅ Trend Micro Research
Developing Story: Information on Attacks Involving 3CX Desktop App
3CX Backdoor IconicStealer

2023-03-30 ⋅ CrowdStrike ⋅ CS ENGINEER
2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers
3CX Backdoor

2023-03-30 ⋅ Cado Security ⋅ Cado Security
Forensic Triage of a Windows System running the Backdoored 3CX Desktop App
3CX Backdoor

2023-03-30 ⋅ Elastic ⋅ Daniel Stepanic, Remco Sprooten, Joe Desimone, Samir Bousseaden, Devon Kerr
Elastic users protected from SUDDENICON’s supply chain attack
3CX Backdoor

2023-03-30 ⋅ OALabs ⋅ Sergei Frankoff
3CX Supply Chain Attack
3CX Backdoor

2023-03-29 ⋅ CrowdStrike ⋅ Research & Threat Intel
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
3CX Backdoor

2023-03-29 ⋅ SentinelOne ⋅ Juan Andrés Guerrero-Saade
SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
3CX Backdoor

2023-03-29 ⋅ Objective-See ⋅ Patrick Wardle
Ironing out (the macOS details) of a Smooth Operator
3CX Backdoor

2023-03-20 ⋅ SecurityIntelligence ⋅ John Dwyer
When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule
FudModule

2023-03-09 ⋅ Mandiant ⋅ Mandiant Intelligence
Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW
FudModule

2023-03-09 ⋅ Mandiant ⋅ Mandiant Intelligence
Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970
CLOUDBURST TOUCHMOVE TOUCHSHIFT

2023-02-23 ⋅ Bitdefender ⋅ Martin Zugec, Bitdefender Team
Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966
Cobalt Strike DarkComet QuiteRAT RATel

2023-02-23 ⋅ ESET Research ⋅ Vladislav Hrčka
WinorDLL64: A backdoor from the vast Lazarus arsenal?
WinorDLL64

2023-02-21 ⋅ SecurityIntelligence ⋅ Ruben Boonen
Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers
FudModule

2023-02-09 ⋅ NSA, FBI, CISA, HHS, ROK, DSA
#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
Dtrack MagicRAT Maui Ransomware SiennaBlue SiennaPurple Tiger RAT YamaBot

2023-02-02 ⋅ WithSecure ⋅ Sami Ruohonen, Stephen Robinson
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
Dtrack GREASE QuiteRAT

2023-01-05 ⋅ AttackIQ ⋅ Francis Guibernau, Ken Towne
Emulating the Highly Sophisticated North Korean Adversary Lazarus Group
MagicRAT Tiger RAT

2022-12-27 ⋅ Kaspersky ⋅ Seongsu Park
BlueNoroff introduces new methods bypassing MoTW
LazarLoader Unidentified 101 (Lazarus?)

2022-12-20 ⋅ K7 Security ⋅ Mellvin S
Lazarus APT’s Operation Interception Uses Signed Binary
Interception

2022-12-16 ⋅ Sekoia ⋅ Threat & Detection Research Team, Jamila B.
The DPRK delicate sound of cyber
AppleJeus AppleJeus SnatchCrypto

2022-11-29 ⋅ Qianxin ⋅ Red Raindrop Team
Job hunting trap: Analysis of Lazarus attack activities using recruitment information such as Mizuho Bank of Japan as bait
CageyChameleon Cur1Downloader

2022-11-23 ⋅ Twitter (@RedDrip7) ⋅ RedDrip Team
Tweets about potential Lazarus sample
Unidentified 101 (Lazarus?)

2022-11-21 ⋅ vmware ⋅ Threat Analysis Unit
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part4 (Dacls, aka MATA)
Dacls

2022-11-15 ⋅ Kaspersky Labs ⋅ Konstantin Zykov, Jornt van der Wiel
DTrack activity targeting Europe and Latin America
Dtrack

2022-10-24 ⋅ AhnLab ⋅ ASEC Analysis Team
Malware infection case of Lazarus attack group that neutralizes antivirus program with BYOVD technique
LazarDoor

2022-09-30 ⋅ Virus Bulletin ⋅ Peter Kálnai, Matěj Havránek
Lazarus & BYOVD: evil to the Windows core
FudModule

2022-09-30 ⋅ ESET Research ⋅ Peter Kálnai
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader TOUCHMOVE

2022-09-29 ⋅ Microsoft ⋅ Microsoft Security Threat Intelligence, LinkedIn Threat Prevention and Defense
ZINC weaponizing open-source software
CLOUDBURST

2022-09-26 ⋅ SentinelOne ⋅ Dinesh Devadoss, Phil Stokes
Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto
Interception

2022-09-26 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare

2022-09-22 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team
Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD
FudModule

2022-09-15 ⋅ Symantec ⋅ Threat Hunter Team
Webworm: Espionage Attackers Testing and Using Older Modified RATs
9002 RAT Ghost RAT Trochilus RAT

2022-09-14 ⋅ Mandiant ⋅ macla, Mathew Potaczek, Nino Isakovic, Matt Williams, Yash Gupta
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
BLINDINGCAN

2022-09-10 ⋅ Malverse ⋅ greenplan
Realizziamo un C&C Server in Python (Bankshot)
Bankshot

2022-09-08 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Vitor Ventura
Lazarus and the tale of three RATs
MagicRAT MimiKatz VSingle YamaBot

2022-09-07 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Vitor Ventura
MagicRAT: Lazarus’ latest gateway into victim networks
MagicRAT Tiger RAT

2022-08-16 ⋅ Twitter (@ESETresearch) ⋅ Peter Kálnai, Dominik Breitenbacher
Twitter thread about Operation In(ter)ception for macOS
Interception

2022-08-13 ⋅ YoutTube (Blue Team Village) ⋅ Seongsu Park
Attribution and Bias: My terrible mistakes in threat intelligence attribution
AppleJeus Olympic Destroyer

2022-08-12 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare

2022-08-09 ⋅ Kaspersky ⋅ Kurt Baumgartner, Seongsu Park
Andariel deploys DTrack and Maui ransomware
Dtrack Maui Ransomware

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Iron Taurus
CHINACHOPPER Ghost RAT Wonknu ZXShell APT27

2022-07-05 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
VSingle malware that obtains C2 server information from GitHub
VSingle

2022-06-21 ⋅ Cisco Talos ⋅ Flavio Costa, Chris Neal, Guilherme Venere
Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz

2022-05-23 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší
Operation Earth Berberoka
reptile oRAT Ghost RAT PlugX pupy Earth Berberoka

2022-05-09 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu

2022-05-05 ⋅ NCC Group ⋅ Michael Matthews, Nikolaos Pantazopoulos
North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
LCPDot

2022-04-27 ⋅ Symantec ⋅ Threat Hunter Team
Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
Dtrack VSingle

2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka

2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka

2022-04-26 ⋅ Trend Micro ⋅ Ryan Flores, Stephen Hilt, Lord Alfred Remorin
How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT

2022-04-18 ⋅ CISA ⋅ CISA, U.S. Department of the Treasury, FBI
AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)
FastCash Bankshot

2022-04-18 ⋅ CISA ⋅ CISA, FBI, U.S. Department of the Treasury
Alert (AA22-108A): TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
Bankshot

2022-04-15 ⋅ Center for Internet Security ⋅ CIS
Top 10 Malware March 2022
Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus

2022-04-14 ⋅ Symantec ⋅ Threat Hunter Team
Lazarus Targets Chemical Sector
Racket Downloader

2022-04-01 ⋅ The Hacker News ⋅ Ravie Lakshmanan
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit
Fire Chili Ghost RAT

2022-03-31 ⋅ Kaspersky ⋅ GReAT
Lazarus Trojanized DeFi app for delivering malware
JessieConTea LCPDot

2022-03-30 ⋅ Fortinet ⋅ Rotem Sde-Or, Eliran Voronovitch
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Fire Chili Ghost RAT

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-03-16 ⋅ AhnLab ⋅ ASEC Analysis Team
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers
Ghost RAT Kingminer

2022-03-01 ⋅ Github (0xZuk0) ⋅ Dipankar Lama
Malware Analysis Report: WannaCry Ransomware
WannaCryptor

2022-02-11 ⋅ Cisco Talos ⋅ Talos
Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus

2022-02-09 ⋅ Sentinel LABS ⋅ Tom Hegel
ModifiedElephant APT and a Decade of Fabricating Evidence
DarkComet Incubator NetWire RC ModifiedElephant

2022-02-09 ⋅ SentinelOne ⋅ Tom Hegel, Juan Andrés Guerrero-Saade
Modified Elephant APT and a Decade of Fabricating Evidence
DarkComet Incubator NetWire RC

2022-01-31 ⋅ Cyber Geeks ⋅ Vlad Pasca
A Detailed Analysis Of Lazarus APT Malware Disguised As Notepad++ Shell Extension
AnchorMTea

2022-01-13 ⋅ Kaspersky Labs ⋅ Seongsu Park, Vitaly Kamluk
The BlueNoroff cryptocurrency hunt is still on
CageyChameleon SnatchCrypto WebbyTea

2021-12-14 ⋅ Trend Micro ⋅ Nick Dai, Ted Lee, Vickie Su
Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack

2021-12 ⋅ ThreatBook ⋅ ThreatBook
The Lazarus Group suspected of expanding its arsenal? The hackers target aviation industry and researchers
AnchorMTea

2021-11-10 ⋅ AhnLab ⋅ ASEC Analysis Team
Analysis Report of Lazarus Group’s NukeSped Malware
DarkComet Tiger RAT

2021-10-11 ⋅ Telsy ⋅ Telsy
Lazarus Group continues AppleJeus Operation
AppleJeus

2021-10-08 ⋅ Virus Bulletin ⋅ Seongsu Park
Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient

2021-10-07 ⋅ Virus Bulletin ⋅ Taewoo Lee, Dongwook Kim, Byeongjae Kim
Operation Bookcodes – targeting South Korea
BookCodes RAT LPEClient

2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT

2021-10-04 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
Malware Gh0stTimes Used by BlackTech
Gh0stTimes Ghost RAT

2021-09-07 ⋅ LIFARS ⋅ Vlad Pasca
A Detailed Analysis of Lazarus’ RAT Called FALLCHILL
Volgmer

2021-09-06 ⋅ cocomelonc ⋅ cocomelonc
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze

2021-09-04 ⋅ cocomelonc ⋅ cocomelonc
AV engines evasion for C++ simple malware: part 1
4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT

2021-08-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch
PEB: Where Magic Is Stored
Dacls

2021-08-22 ⋅ media.ccc.de ⋅ Lars Wallenborn
The Bangladesh cyber bank robbery: Tracking down major criminals with malware analysis
DYEPACK

2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet

2021-07-10 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani
Analysis of AppleJeus Malware by Lazarus Group
AppleJeus

2021-07-08 ⋅ Medium s2wlab ⋅ Sojun Ryu
Analysis of Lazarus malware abusing Non-ActiveX Module in South Korea
Racket Downloader

2021-06-15 ⋅ Kaspersky ⋅ Seongsu Park
Andariel evolves to target South Korea with ransomware
BISTROMATH PEBBLEDASH TigerLite Tiger RAT Unidentified 081 (Andariel Ransomware)

2021-05-11 ⋅ Qianxin ⋅ Red Raindrop Team
Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait
BISTROMATH TigerLite

2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Mohd Sadique, Manohar Ghule
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos

2021-04-28 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C Chen
Water Pamola Attacked Online Shops Via Malicious Orders
Ghost RAT

2021-04-19 ⋅ Malwarebytes ⋅ Hossein Jazi
Lazarus APT conceals malicious code within BMP image to drop its RAT
BISTROMATH

2021-04-15 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team
Operation Dream Job Targeting Job Seekers in South Korea
LCPDot Torisma

2021-04-08 ⋅ ESET Research ⋅ Filip Jurčacko
(Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor
Vyveva RAT

2021-04-02 ⋅ Dr.Web ⋅ Dr.Web
Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT TA428

2021-04-01 ⋅ AhnLab ⋅ ASEC Analysis Team
ASEC REPORT VOL.102 Q1 2021
ComeBacker JessieConTea LCPDot

2021-03-22 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta)
VSingle

2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot

2021-03-15 ⋅ Sophos Labs ⋅ Mark Loman
DearCry ransomware attacks exploit Exchange server vulnerabilities
dearcry WannaCryptor

2021-03-03 ⋅ SYGNIA ⋅ Amitai Ben Shushan, Noam Lifshitz, Amnon Kushnir, Martin Korman, Boaz Wasserman
Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware
Dacls Dacls Dacls TFlower

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team

2021-02-26 ⋅ YouTube (Black Hat) ⋅ Kevin Perlow
FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud
FastCash

2021-02-25 ⋅ Kaspersky Labs ⋅ Vyacheslav Kopeytsev, Seongsu Park
Lazarus targets defense industry with ThreatNeedle
HTTP(S) uploader LPEClient Volgmer

2021-02-25 ⋅ Intezer ⋅ Intezer
Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-22 ⋅ tccontre Blog ⋅ tcontre
Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload
Ghost RAT

2021-02-18 ⋅ Symantec ⋅ Threat Hunter Team
Lazarus: Three North Koreans Charged for Financially Motivated Attacks
AppleJeus POOLRAT Unidentified macOS 001 (UnionCryptoTrader) AppleJeus Unidentified 077 (Lazarus Downloader)

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto
AppleJeus Unidentified macOS 001 (UnionCryptoTrader) AppleJeus

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading
AppleJeus AppleJeus

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus Unidentified 077 (Lazarus Downloader)

2021-02-17 ⋅ US-CERT ⋅ US-CERT
Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
AppleJeus AppleJeus

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro
AppleJeus AppleJeus

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade
AppleJeus AppleJeus

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet
AppleJeus AppleJeus

2021-02-17 ⋅ US-CERT ⋅ CISA
Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale
AppleJeus AppleJeus

2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou
Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy Red Dev 17

2021-02-01 ⋅ One Night in Norfolk ⋅ Kevin Perlow
DPRK Targeting Researchers II: .Sys Payload and Registry Hunting
ComeBacker

2021-01-30 ⋅ Microstep Intelligence Bureau ⋅ Microstep online research response team
Analysis of Lazarus attacks against security researchers
ComeBacker

2021-01-29 ⋅ NSFOCUS ⋅ Fuying Laboratory
认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析
ComeBacker DRATzarus Torisma

2021-01-28 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team
ZINC attacks against security researchers
ComeBacker Klackring

2021-01-27 ⋅ S2W LAB Inc. ⋅ Sojun Ryu
How to communicate between RAT infected devices (White paper)
Volgmer

2021-01-27 ⋅ S2W LAB Inc. ⋅ Sojun Ryu
Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)
Volgmer

2021-01-26 ⋅ Comae ⋅ Matt Suiche
PANDORABOX - North Koreans target security researchers
ComeBacker

2021-01-26 ⋅ One Night in Norfolk ⋅ Kevin Perlow
DPRK Malware Targeting Security Researchers
ComeBacker

2021-01-26 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
Operation Dream Job by Lazarus
LCPDot Torisma Lazarus Group

2021-01-25 ⋅ Google ⋅ Adam Weidemann
New campaign targeting security researchers
ComeBacker DRATzarus

2021-01-20 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
Commonly Known Tools Used by Lazarus
Lazarus Group

2021-01-15 ⋅ Swisscom ⋅ Markus Neis
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-07 ⋅ Github (hvs-consulting) ⋅ HvS-Consulting AG
Lazarus / APT37 IOCs
Lazarus Group

2021-01-01 ⋅ Objective-See ⋅ Patrick Wardle
The Mac Malware of 2020 - a comprehensive analysis of the year's new malware
AppleJeus Dacls EvilQuest FinFisher WatchCat XCSSET

2020-12-23 ⋅ Kaspersky Labs ⋅ Seongsu Park
Lazarus covets COVID-19-related intelligence
BookCodes RAT

2020-12-21 ⋅ Cisco Talos ⋅ JON MUNSHAW
2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader

2020-12-18 ⋅ Seqrite ⋅ Pavankumar Chaudhari
RAT used by Chinese cyberspies infiltrating Indian businesses
Ghost RAT

2020-12-15 ⋅ HvS-Consulting AG ⋅ HvS-Consulting AG
Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN HTTP(S) uploader MimiKatz

2020-12-15 ⋅ HvS-Consulting AG ⋅ HvS-Consulting AG
Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group

2020-12-11 ⋅ PWC UK ⋅ Twitter (@BitsOfBinary)
Tweet on macOS Manuscypt samples
Manuscrypt

2020-12-10 ⋅ Intel 471 ⋅ Intel 471
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT

2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus

2020-12-09 ⋅ CrowdStrike ⋅ Josh Burgess, Jason Rivera
From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower
FastCash Hermes WannaCryptor

2020-11-27 ⋅ Macnica ⋅ Hiroshi Takeuchi
Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack

2020-11-27 ⋅ Microstep Intelligence Bureau ⋅ Microstep online research response team
钱包黑洞：Lazarus 组织近期在加密货币方面的隐蔽攻击活动
Manuscrypt

2020-11-21 ⋅ vxhive blog ⋅ 0xastrovax
Deep Dive Into HERMES Ransomware
Hermes

2020-11-16 ⋅ ESET Research ⋅ Anton Cherepanov, Peter Kálnai
Lazarus supply‑chain attack in South Korea
BookCodes RAT Lazarus Group

2020-11-14 ⋅ Medium 0xastrovax ⋅ astrovax
Deep Dive Into Ryuk Ransomware
Hermes Ryuk

2020-11-12 ⋅ Talos ⋅ Asheer Malhotra
CRAT wants to plunder your endpoints
CRAT

2020-11-05 ⋅ McAfee ⋅ Christiaan Beek, Ryan Sherstobitoff
Operation North Star: Behind The Scenes
NedDnLoader Torisma

2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti

2020-10-28 ⋅ Twitter (@BitsOfBinary) ⋅ John
Tweet on macOS version of Manuscrypt
Manuscrypt

2020-10-27 ⋅ Dr.Web ⋅ Dr.Web
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad

2020-10-03 ⋅ VB Localhost ⋅ Takai Hajime, Shogo Hayashi, Rintaro Koike
Unveiling the CryptoMimic
CageyChameleon SnatchCrypto

2020-09-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
BLINDINGCAN - Malware Used by Lazarus
BLINDINGCAN Lazarus Group

2020-09-16 ⋅ Qianxin ⋅ Red Raindrop Team
Target defense industry: Lazarus uses recruitment bait combined with continuously updated cyber weapons
CRAT

2020-09-15 ⋅ CrowdStrike ⋅ CrowdStrike Overwatch Team
Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN

2020-08-31 ⋅ SentinelOne ⋅ Jim Walter
The BLINDINGCAN RAT and Malicious North Korean Activity
BLINDINGCAN

2020-08-31 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
Malware Used by Lazarus after Network Intrusion
Lazarus Group

2020-08-26 ⋅ CISA ⋅ CISA
MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT
NACHOCHEESE

2020-08-26 ⋅ CISA ⋅ CISA
MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON
PSLogger

2020-08-26 ⋅ CISA ⋅ CISA, U.S. Department of the Treasury, FBI, U.S. Cyber Command
Alert (AA20-239A): FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks
FastCash

2020-08-19 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN

2020-08-19 ⋅ CISA ⋅ CISA
MAR-10295134-1.v1 - North Korean Remote Access Trojan: BLINDINGCAN
BLINDINGCAN

2020-08-13 ⋅ ClearSky ⋅ ClearSky Research Team
Operation ‘Dream Job’ Widespread North Korean Espionage Campaign
DRATzarus LPEClient NedDnLoader

2020-08-05 ⋅ BlackHat ⋅ Kevin Perlow
FASTCashand INJX_PURE: How Threat Actors Use Public Standards for Financial Fraud
FastCash

2020-08-05 ⋅ BlackHat ⋅ Kevin Perlow
FASTCash and Associated Intrusion Techniques
FastCash

2020-08 ⋅ TG Soft ⋅ TG Soft
TG Soft Cyber - Threat Report
DarkComet Darktrack RAT Emotet ISFB

2020-08 ⋅ Temple University ⋅ CARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor

2020-07-29 ⋅ McAfee ⋅ McAfee Labs
Operation (노스 스타) North Star A Job Offer That’s Too Good to be True?
NedDnLoader

2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-07-28 ⋅ Kaspersky Labs ⋅ Ivan Kwiatkowski, Pierre Delcher, Félix Aime
Lazarus on the hunt for big game
Dacls Dacls Dacls VHD Ransomware

2020-07-28 ⋅ NTT ⋅ NTT Security
CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX

2020-07-27 ⋅ SentinelOne ⋅ Phil Stokes
Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform
AppleJeus Casso Dacls WatchCat

2020-07-22 ⋅ Kaspersky Labs ⋅ GReAT
MATA: Multi-platform targeted malware framework
Dacls Dacls Dacls

2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon
What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell

2020-06-29 ⋅ KISA ⋅ KrCERT
OPERATION BOOKCODES TTPs #2
BookCodes RAT

2020-06-28 ⋅ Twitter (@ccxsaber) ⋅ z3r0
Tweet on Sample
Unidentified 077 (Lazarus Downloader)

2020-06-23 ⋅ ReversingLabs ⋅ Karlo Zanki
Hidden Cobra - from a shed skin to the viper’s nest
Bankshot PEBBLEDASH TAINTEDSCRIBE

2020-06-17 ⋅ ESET Research ⋅ Dominik Breitenbacher, Kaspars Osis
Operation In(ter)ception: Targeted Attacks against European Aerospace and Military Companies
Interception

2020-06-14 ⋅ BushidoToken ⋅ BushidoToken
Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)

2020-06-09 ⋅ Kaspersky Labs ⋅ Costin Raiu
Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel

2020-06-05 ⋅ Prevailion ⋅ Danny Adamitis
The Gh0st Remains the Same
Ghost RAT

2020-06-04 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Ghost RAT

2020-05-31 ⋅ Twitter (ShadowChasing1) ⋅ Shadow Chaser Group
Tweet on DTRACK malware
Dtrack

2020-05-20 ⋅ Medium Asuna Amawaka ⋅ Asuna Amawaka
What happened between the BigBadWolf and the Tiger?
Ghost RAT

2020-05-14 ⋅ Avast Decoded ⋅ Luigino Camastra
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Ghost RAT Microcin MimiKatz Vicious Panda

2020-05-12 ⋅ US-CERT ⋅ US-CERT
MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE
Bankshot

2020-05-11 ⋅ Trend Micro ⋅ Gabrielle Joyce Mabutas, Kazuki Fujisawa
New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability
Dacls

2020-05-11 ⋅ Trend Micro ⋅ Gabrielle Joyce Mabutas, Kazuki Fujisawa
New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability
Dacls

2020-05-07 ⋅ AVAR ⋅ Mark Lechtik, Ariel Jugnheit
The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market
Volgmer

2020-05-06 ⋅ Malwarebytes ⋅ Hossein Jazi, Thomas Reed, Jérôme Segura
New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app
Dacls

2020-05-05 ⋅ Objective-See ⋅ Patrick Wardle
The Dacls RAT ...now on macOS! deconstructing the mac variant of a lazarus group implant
Dacls

2020-05-04 ⋅ ADEO DFIR ⋅ ADEO DFIR
APT38 Lazarus Threat Analysis Report
BLINDTOAD ELECTRICFISH

2020-04-16 ⋅ VMWare Carbon Black ⋅ Scott Knight
The Evolution of Lazarus
HOTCROISSANT Rifdoor

2020-04-14 ⋅ Qianxin ⋅ Qi'anxin Threat Intelligence
The Lazarus APT organization uses the new crown epidemic bait to target a targeted attack analysis of a country
CRAT

2020-04-09 ⋅ suspected.tistory.com ⋅ hmkang92
Malware analysis (Emergency inquiry for Coronavirus response in Jeollanam-do.hwp)
CRAT

2020-04-01 ⋅ KISA ⋅ KrCERT
OPERATION BOOKCODES TTPs #1
BookCodes RAT

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA

2020-03-05 ⋅ SophosLabs ⋅ Sergei Shevchenko
Cloud Snooper Attack Bypasses AWS Security Measures
Cloud Snooper Ghost RAT

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2020-02-26 ⋅ MetaSwan's Lab ⋅ MetaSwan
Lazarus group's Brambul worm of the former Wannacry - 2
Brambul

2020-02-26 ⋅ MetaSwan's Lab ⋅ MetaSwan
Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor

2020-02-25 ⋅ SentinelOne ⋅ Jim Walter
DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity
ARTFULPIE BISTROMATH BUFFETLINE CHEESETRAY HOPLIGHT HOTCROISSANT SLICKSHOES

2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus

2020-02-22 ⋅ Objective-See ⋅ Patrick Wardle
Weaponizing a Lazarus Group Implant: repurposing a 1st-stage loader, to execute custom 'fileless' payloads
AppleJeus

2020-02-19 ⋅ Lexfo ⋅ Lexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor

2020-02-14 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20–045B): MAR-10265965-2.v1 - North Korean Trojan: SLICKSHOES
SLICKSHOES

2020-02-14 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-045G): MAR-10135536-8.v4 - North Korean Trojan: HOPLIGHT
HOPLIGHT

2020-02-14 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-045F): MAR-10271944-3.v1 - North Korean Trojan: BUFFETLINE
BUFFETLINE

2020-02-14 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-045E): MAR-10271944-2.v1 - North Korean Trojan: ARTFULPIE
ARTFULPIE

2020-02-14 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-045C)
CHEESETRAY

2020-02-14 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-045D): MAR-10271944-1.v1 - North Korean Trojan: HOTCROISSANT
HOTCROISSANT

2020-02-14 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-045A): MAR-10265965-1.v1 - North Korean Trojan: BISTROMATH
BISTROMATH

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor

2020-02-02 ⋅ Youtube (Ghidra Ninja) ⋅ Ghidra Ninja
Reversing WannaCry Part 2 - Diving into the malware with #Ghidra
WannaCryptor

2020-01-26 ⋅ Brown Farinholt, Mohammad Rezaeirad, Damon McCoy, Kirill Levchenko
Dark Matter: Uncovering the DarkComet RAT Ecosystem
DarkComet

2020-01-08 ⋅ Kaspersky Labs ⋅ GReAT
Operation AppleJeus Sequel
AppleJeus Unidentified macOS 001 (UnionCryptoTrader)

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE FLEETWOOD
Binanen Ghost RAT OrcaRAT APT5

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE EDISON
Ghost RAT sykipot APT4 SAMURAI PANDA

2020-01-01 ⋅ Objective-See ⋅ Patrick Wardle
The Mac Malware of 2019
Gmera Mokes Yort

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE GLOBE
EtumBot Ghost RAT APT12

2020 ⋅ Secureworks ⋅ SecureWorks
ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats

2020 ⋅ Secureworks ⋅ SecureWorks
NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer

2020 ⋅ Secureworks ⋅ SecureWorks
NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27

2020 ⋅ Secureworks ⋅ SecureWorks
COPPER FIELDSTONE
Crimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major

2019-12-17 ⋅ Netlab ⋅ Jinye, GenShen Ye
Lazarus Group uses Dacls RAT to attack Linux platform
Dacls Log Collector Dacls

2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech

2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center
GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM

2019-12-03 ⋅ Objective-See ⋅ Objective-See
Lazarus Group Goes 'Fileless'
Unidentified macOS 001 (UnionCryptoTrader)

2019-11-21 ⋅ Cyberbit ⋅ Hod Gavriel
Dtrack: In-depth analysis of APT on a nuclear power plant
Dtrack

2019-11-21 ⋅ ThreatBook ⋅ ThreatBook
The Nightmare of Global Cryptocurrency Companies -Demystifying the “DangerousPassword” of the APT Organization
CageyChameleon SnatchCrypto

2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell

2019-11-05 ⋅ Telsy ⋅ Telsy Research Team
The Lazarus’ gaze to the world: What is behind the first stone?
NedDnLoader Torisma

2019-11-04 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Is Lazarus/APT38 Targeting Critical Infrastructures?
Dtrack

2019-11-04 ⋅ Tencent ⋅ Tencent Security Mikan TIC
APT attack group "Higaisa" attack activity disclosed
Ghost RAT Higaisa

2019-11-03 ⋅ Github (jeFF0Falltrades) ⋅ Jeff Archer
DTrack
Dtrack

2019-10-31 ⋅ CISA ⋅ CISA
Malware Analysis Report (AR19-304A)
HOPLIGHT

2019-10-17 ⋅ Vitali Kremez
Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus

2019-10-12 ⋅ Objective-See ⋅ Patrick Wardle
Pass the AppleJeus
AppleJeus

2019-10-11 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez
Possible Lazarus x86 Malware (AppleJeus)
AppleJeus

2019-09-23 ⋅ Kaspersky Labs ⋅ Konstantin Zykov
Hello! My name is Dtrack
Dtrack

2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41

2019-09-18 ⋅ SophosLabs Uncut ⋅ Peter Mackenzie
The WannaCry hangover
WannaCryptor

2019-09-17 ⋅ Talos ⋅ Christopher Evans, David Liebenberg
Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
Ghost RAT

2019-09-17 ⋅ SophosLabs ⋅ Peter Mackenzie
WannaCry Aftershock
WannaCryptor

2019-09-09 ⋅ CISA ⋅ CISA
Malware Analysis Report (AR19-252A)
BADCALL BADCALL

2019-08-11 ⋅ Twitter (@KevinPerlow) ⋅ Kevin Perlow
Updated #Lazarus Keylogger (uploaded June)
PSLogger

2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy

2019-07-28 ⋅ Dissecting Malware ⋅ Marius Genheimer
Third time's the charm? Analysing WannaCry samples
WannaCryptor

2019-07-11 ⋅ NTT Security ⋅ NTT Security
Targeted TrickBot activity drops 'PowerBrace' backdoor
PowerBrace TrickBot

2019-05-30 ⋅ Talos Intelligence ⋅ Vanja Svajcer
10 years of virtual dynamite: A high-level retrospective of ATM malware
FastCash Project Alice Cutlet Ploutus ATM Skimer Tyupkin

2019-05-09 ⋅ CISA ⋅ CISA
Malware Analysis Report (AR19-129A)
ELECTRICFISH Lazarus Group

2019-04-25 ⋅ DATANET ⋅ Kim Seon-ae
Chinese-based hackers attack domestic energy institutions
CALMTHORN Ghost RAT

2019-04-24 ⋅ SpecterOps ⋅ Richie Cyrus
Introducing Venator: A macOS tool for proactive detection
AppleJeus WindTail

2019-04-11 ⋅ Computing.co.uk ⋅ Dev Kundaliya
Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea
HOPLIGHT

2019-04-10 ⋅ One Night in Norfolk ⋅ Norfolk
OSINT Reporting Regarding DPRK and TA505 Overlap
PowerBrace

2019-04-10 ⋅ The Register ⋅ Shaun Nichols
Lazarus Group rises again from the digital grave with Hoplight malware for all
Lazarus Group

2019-04-10 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR19-100A): North Korean Trojan: HOPLIGHT
HOPLIGHT

2019-03-27 ⋅ Symantec ⋅ Security Response Attack Investigation Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33

2019-03-27 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33

2019-03-26 ⋅ Kaspersky Labs ⋅ GReAT
Cryptocurrency businesses still being targeted by Lazarus
Yort Lazarus Group

2019-03-20 ⋅ Github (649) ⋅ @037
APT38 DYEPACK FRAMEWORK
DYEPACK

2019-03-18 ⋅ DCSO ⋅ DCSO
Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware
Hermes

2019-03-12 ⋅ Malwarebytes ⋅ William Tsing
The Advanced Persistent Threat files: Lazarus Group
Lazarus Group

2019-02-27 ⋅ Secureworks ⋅ CTU Research Team
A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell

2019-02-19 ⋅ Check Point Research ⋅ Check Point
North Korea Turns Against New Targets?!
KEYMARBLE

2019-01-31 ⋅ ESTsecurity ⋅ Alyac
Lazarus APT Organization Attacks with Operation Extreme Job
CoreDN

2019-01-30 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Paul Rascagnères, Jungsoo An
Fake Cisco Job Posting Targets Korean Candidates
CoreDN JessieConTea

2019-01-29 ⋅ MITRE ⋅ MITRE ATT&CK
APT38
Lazarus Group

2019-01-23 ⋅ NSHC RedAlert Labs ⋅ ThreatRecon Team
SectorA01 Custom Proxy Utility Tool Analysis
FastCash

2019-01-22 ⋅ One Night in Norfolk ⋅ Norfolk
A Lazarus Keylogger- PSLogger
PSLogger

2019-01-16 ⋅ ZDNet ⋅ Catalin Cimpanu
North Korean hackers infiltrate Chile's ATM network after Skype job interview
Lazarus Group

2019-01-15 ⋅ Flashpoint ⋅ Vitali Kremez
Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties
PowerRatankba

2019-01-07 ⋅ Intezer ⋅ Ignacio Sanmillan
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Ghost RAT

2019 ⋅ Dragos ⋅ Dragos
Adversary Reports
ALLANITE APT33 CHRYSENE ENERGETIC BEAR Lazarus Group Sandworm

2019 ⋅ CISA ⋅ CISA
HIDDEN COBRA - North Korean Malicious Cyber Activity
Lazarus Group

2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
Compromise of cryptocurrency exchanges in South Korea
Lazarus Group

2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
Operation GhostSecret
Lazarus Group

2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
Covellite
Lazarus Group

2019-01 ⋅ Journal of Telecommunications and Information Technology ⋅ Maxat Akbanov, Vassilios G. Vassilakis, Michael D. Logothetis
WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms
WannaCryptor

2019 ⋅ MITRE ⋅ MITRE ATT&CK
Group description: Lazarus Group
Lazarus Group

2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
Lazarus Group
Lazarus Group

2018-12-31 ⋅ Github Repository ⋅ Frank Boldewin
FastCashMalwareDissected
FastCash

2018-12-12 ⋅ McAfee ⋅ Ryan Sherstobitoff, Asheer Malhotra
‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
Rising Sun Lazarus Group Operation Sharpshooter

2018-11-20 ⋅ Trend Micro ⋅ Lenart Bermejo, Joelson Soares
Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America
BLINDTOAD

2018-11-17 ⋅ Youtube (Demonslay335) ⋅ Michael Gillespie
Analyzing Ransomware - Beginner Static Analysis
Hermes

2018-11-08 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
FASTCash: How the Lazarus Group is Emptying Millions from ATMs
FastCash Lazarus Group

2018-11-08 ⋅ Symantec ⋅ Security Response Attack Investigation Team
FASTCash: How the Lazarus Group is Emptying Millions from ATMs
FastCash Lazarus Group

2018-10-08 ⋅ Youtube Video ⋅ Saher Naumaan
BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks
NESTEGG

2018-10-03 ⋅ Virus Bulletin ⋅ Peter Kálnai, Michal Poslušný
Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor

2018-10-02 ⋅ US-CERT ⋅ US-CERT
Alert (TA18-275A) HIDDEN COBRA: FASTCash Campaign
FastCash

2018-10-02 ⋅ CISA ⋅ Department of Homeland Security (DHS), Department of the Treasury (Treasury), FBI
Alert (TA18-275A): HIDDEN COBRA – FASTCash Campaign
FastCash

2018-10-01 ⋅ Youtube (FireEye Inc.) ⋅ Christopher DiGiamo, Nalani Fraser, Jacqueline O’Leary
CDS 2018 | Unmasking APT X
NESTEGG

2018-09-19 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles
Hex-Rays Microcode API vs. Obfuscating Compiler
Ghost RAT

2018-09-06 ⋅ Department of Justice ⋅ Office of Public Affairs
North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions
Lazarus Group

2018-08-27 ⋅ DARKReading ⋅ Jai Vijayan
North Korean Hacking Group Steals $13.5 Million From Indian Bank
Lazarus Group

2018-08-23 ⋅ Bleeping Computer ⋅ Catalin Cimpanu
Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack
Lazarus Group

2018-08-23 ⋅ Kaspersky Labs ⋅ GReAT
Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group

2018-08-09 ⋅ CISA ⋅ CISA
Malware Analysis Report (AR18-221A)
KEYMARBLE

2018-07-30 ⋅ Proofpoint ⋅ Proofpoint Staff
New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Azorult Hermes

2018-07-26 ⋅ IEEE Symposium on Security and Privacy (SP) ⋅ Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Kylie McRoberts, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy
Tracking Ransomware End-to-end
Cerber Locky WannaCryptor

2018-06-23 ⋅ AhnLab ⋅ AhnLab
Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
PhanDoor Rifdoor

2018-06-13 ⋅ Acalvio ⋅ Team Acalvio
Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap

2018-06-13 ⋅ Threatpost ⋅ Tara Seals
Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist
Lazarus Group

2018-06-08 ⋅ United States District Court (California) ⋅ Nathan P. Shields, Rozella A. Oliver
Complaint against Jin Hyok Park
NESTEGG

2018-06-07 ⋅ Trend Micro ⋅ Fernando Mercês
New KillDisk Variant Hits Latin American Financial Organizations Again
BOOTWRECK

2018-05-29 ⋅ Bloomberg ⋅ Michelle Davis
Mexico Foiled a $110 Million Bank Heist, Then Kept It a Secret
Lazarus Group

2018-05-29 ⋅ US-CERT ⋅ US-CERT
MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap

2018-05-29 ⋅ US-CERT ⋅ US-CERT
Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap

2018-05-03 ⋅ McAfee ⋅ Ryan Sherstobitoff, Itai Liba, James Walter
Dissecting Operation Troy: Cyberespionage in South Korea
concealment_troy http_troy Lazarus Group

2018-04-27 ⋅ Bleeping Computer ⋅ Catalin Cimpanu
North Korean Hackers Are up to No Good Again
Lazarus Group

2018-04-24 ⋅ McAfee ⋅ Ryan Sherstobitoff
Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide
GhostSecret

2018-04-24 ⋅ McAfee ⋅ Ryan Sherstobitoff, Asheer Malhotra
Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide
Lazarus Group

2018-04-20 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos
Decoding network data from a Gh0st RAT variant
Ghost RAT APT27

2018-04-17 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos
Decoding network data from a Gh0st RAT variant
Ghost RAT APT27

2018-04-03 ⋅ ESET Research ⋅ Peter Kálnai, Anton Cherepanov
Lazarus KillDisks Central American casino
KillDisk (Lazarus) Lazarus Group

2018-03-28 ⋅ Intezer ⋅ Jay Rosenberg
Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies
Unidentified 042

2018-03-14 ⋅ Malwarebytes Labs ⋅ hasherezade, Jérôme Segura, Vasilios Hioureas
Hermes ransomware distributed to South Koreans via recent Flash zero-day
Hermes

2018-03-08 ⋅ McAfee ⋅ Ryan Sherstobitoff, Asheer Malhotra, Charles Crawford, Jessica Saavedra-Morales
Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant
Lazarus Group

2018-03 ⋅ Kaspersky Labs ⋅ Kaspersky Lab Global Research, Analysis Team
Lazarus under the Hood
NESTEGG

2018-03 ⋅ Kaspersky Labs ⋅ Kaspersky Lab
Lazarus under the Hood
BlueNoroff HOTWAX REDSHAWL WORMHOLE

2018-03-01 ⋅ Dragos ⋅ Dragos
INDUSTRIAL CONTROL SYSTEM THREATS
APT33 CHRYSENE ENERGETIC BEAR Lazarus Group Sandworm

2018-02-12 ⋅ McAfee ⋅ Ryan Sherstobitoff, Asheer Malhotra, Jessica Saavedra-Morales, Thomas Roccia
Lazarus Resurfaces, Targets Global Banks and Bitcoin Users
CoreDN

2018-02-11 ⋅ Symantec ⋅ Ling Zhou
Technical Description: Downloader.Jelous
CoreDN

2018-02-05 ⋅ US-CERT ⋅ Unknown Unknown
HIDDEN COBRA - North Korean Malicious Cyber Activity
HARDRAIN HARDRAIN

2018-02-01 ⋅ Bitdefender ⋅ Bitdefender Team
Operation PZCHAO Inside a highly specialized espionage infrastructure
Ghost RAT APT27

2018-01-29 ⋅ Proofpoint ⋅ Darien Huss
North Korea Bitten by Bitcoin Bug
Bitsran

2018-01-24 ⋅ Trend Micro ⋅ Trendmicro
A Look into the Lazarus Group’s Operations
Lazarus Group

2018-01-24 ⋅ Trend Micro ⋅ CH Lei, Fyodor Yarochkin, Lenart Bermejo, Philippe Z Lin, Razor Huang
Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More
PowerRatankba

2018-01-15 ⋅ Trend Micro ⋅ Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira
New KillDisk Variant Hits Financial Organizations in Latin America
KillDisk (Lazarus) Lazarus Group

2018-01-04 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
MALSPAM PUSHING PCRAT/GH0ST
Ghost RAT

2018-01-01 ⋅ McAfee ⋅ Ryan Sherstobitoff, Itai Liba, James Walter
Dissecting Operation Troy: Cyberespionage in South Korea
Lazarus Group

2018 ⋅ FireEye ⋅ FireEye
APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group

2018 ⋅ FireEye ⋅ FireEye
APT38
CHEESETRAY CLEANTOAD NACHOCHEESE

2017-12-20 ⋅ RiskIQ ⋅ Yonathan Klijnsma
Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry
PowerRatankba

2017-12-19 ⋅ Proofpoint ⋅ Darien Huss
North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Ghost RAT

2017-12-19 ⋅ Proofpoint ⋅ Darien Huss
North Korea Bitten by Bitcoin Bug
QUICKCAFE PowerSpritz Ghost RAT